Tag Archives: HHS

Managing Your Health Information Risks Should Not Begin After a Breach Is Reported

By Lynn Sessions on December 4, 2014 Posted in Cybersecurity

Editor’s Note: We recently launched a graphic illustrating our Cyber Risk Mitigation Services. Our attorneys have written about specific examples of those services. Healthcare is plagued by a high frequency of reported breaches. Although they are often caused by employees making mistakes, such as misdirecting a fax or losing a thumb drive, we are seeing more and … Continue Reading

HHS Provides Guidance on HIPAA Privacy in Emergency Situations Such as Ebola

By Lynn Sessions and M. Scott Koller on November 11, 2014 Posted in Cybersecurity, HIPAA/HITECH, Medical Privacy

Editor’s Note: We recently launched a graphic illustrating our Cyber Risk Mitigation Services. This week, our attorneys will be writing about specific examples of those services. In the wake of the recent Ebola outbreak, the U.S. Department of Health and Human Services (“HHS”) has issued a guidance on how the Health Insurance Portability and Accountability Act … Continue Reading

Company Claims “HIPAA Has No Teeth”, Will Start Notifying Affected Individuals of Security Breaches and Vulnerabilities that Have Not Been Disclosed by Organizations

By Charles Shih on October 27, 2014 Posted in Data Breaches, HIPAA/HITECH, Medical Privacy

A company named SLC Security, LLC (“SLC”), recently announced that it will begin notifying individuals if it believes it has identified a security breach or vulnerability of a company and it has not received a satisfactory response from the company to which it reported the issue. On SLC’s blog, it claims it is providing “awareness … Continue Reading

Healthcare Privacy – 2013 Year in Review

By Lynn Sessions on January 2, 2014 Posted in HIPAA/HITECH, Medical Privacy

Authors: Lynn Sessions, Kimberly Wong, Cory Fox and Anne Foster. On January 25, 2013, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published the long-awaited HIPAA Omnibus Final Rule (Final Rule), which includes the most sweeping changes to HIPAA since the Privacy and Security Rules were released. Under the … Continue Reading

HHS Closes Out 2013 with 6th Resolution Agreement

By Kimberly M. Wong on December 30, 2013 Posted in HIPAA/HITECH, Medical Privacy

Throughout 2013, HHS OCR has stated that covered entities of all sizes need to give priority to securing ePHI. In addition, HHS OCR has recommended that covered entities identify and mitigate risks before an incident occurs. HHS OCR’s enforcement activity during 2013 has focused on covered entities large and small. To end 2013, HHS OCR … Continue Reading

Health Plan Settles HHS OCR Investigation Related to Photocopier Breach for $1.2m

By Kimberly M. Wong on August 14, 2013 Posted in Enforcement, HIPAA/HITECH, Medical Privacy

The Department of Health and Human Services Office for Civil Rights (HHS OCR) today announced its 4th resolution agreement of 2013. Affinity Health Plan, Inc., a not-for-profit managed care plan serving the New York metropolitan area, has agreed to settle potential violations of the HIPAA Privacy and Security Rules for $1,215,780. The resolution agreement relates … Continue Reading

HHS Reaches $400,000 Settlement Of Alleged HIPAA Security Rule Violations For Disabling Firewall Protections

By Theodore J. Kobus III on May 22, 2013 Posted in HIPAA/HITECH, Medical Privacy

The U.S. Department of Health and Human Services (HHS) has reported a $400,000 settlement with Idaho State University (ISU) for alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The incident giving rise to the investigation by the HHS Office for Civil Rights (OCR) involved a potential exposure of … Continue Reading

HHS Considers Amending HIPAA Privacy Rule to Permit Disclosure of Mental Health Information for Firearm Background Checks

By Cory J. Fox on May 10, 2013 Posted in HIPAA/HITECH, Medical Privacy

Adding yet another wrinkle to the nation’s contentious gun control debate, the U.S. Department of Health and Human Services (HHS) has released an Advance Notice of Proposed Rulemaking (ANPRM) soliciting information and public comment on possible amendments to the HIPAA Privacy Rule to permit disclosure of limited mental health information to the National Instant Criminal … Continue Reading

HHS Adopts Operating Rules for EFT and ERA Transactions

By Lynn Sessions on September 4, 2012 Posted in HIPAA/HITECH, Medical Privacy

The U.S. Department of Health and Human Services (HHS) recently released an interim final rule with comment period that adopts “Operating Rules” for electronic funds transfer (EFT) and electronic remittance advice (ERA) transactions by physician practices, hospitals and health plans. By replacing the burdensome, paper-driven billing practices currently employed by more than 70 percent of … Continue Reading

OCR HIPAA Training for State Attorneys General

By Lynn Sessions on June 19, 2012 Posted in HIPAA/HITECH, Medical Privacy

Earlier this month, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published the materials used in training the state attorneys general (AGs) last year on the enforcement of the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act. OCR has published … Continue Reading

Online Calendar Paves Way for $100,000 HIPAA Settlement

By Lynn Sessions on May 2, 2012 Posted in HIPAA/HITECH, Medical Privacy

Phoenix Cardiac Surgery recently entered into a $100,000 settlement with the U.S. Department of Health & Human Services (HHS) for alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. The settlement is the result of an investigation by the HHS Office for Civil Rights (OCR) after it … Continue Reading

Update: Final HITECH Act Regulations Amending HIPAA Privacy And Security Will Be Published In 2012

By John Mulhollan on January 11, 2012 Posted in HIPAA/HITECH, Medical Privacy

During 2011, informal indications were given by the HHS Office of Civil Rights (OCR) and various industry experts that the final HITECH Act regulations amending the HIPAA privacy and security regulations would be published by the end of 2011. However, as of January 6, 2012, the regulations continue to be delayed, due to the numerous … Continue Reading

Privacy and Data Breach Regulatory Activity–A Year in Review

By Theodore J. Kobus III on December 29, 2011 Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Enforcement, HIPAA/HITECH, Identity Theft, Information Security, Medical Privacy, Online Privacy, Payment Card Industry

While plaintiffs continue to face an uphill battle proving damages in privacy litigation – regulatory actions and investigations seem to be increasing. During 2011, we saw activity from many government agencies—both state and federal—including the Federal Trade Commission (FTC), Department of Education (DOE), Department of Health and Human Services (HHS) Office for Civil Rights (OCR), … Continue Reading

After the Data Breach: What Do Regulators Expect and What Can I do to Prepare?

By Theodore J. Kobus III on September 21, 2011 Posted in Data Breaches

Today is very exciting for me. It is my first day at Baker Hostetler as National Co-Leader of the Privacy, Security and Social Media Team. And, it is also my first contribution to Data Privacy Monitor. Not only am I joining a solid privacy team that is supported by a large platform, I now have an opportunity … Continue Reading

Annual HITECH Report to Congress

By Lynn Sessions on September 12, 2011 Posted in Data Breaches, HIPAA/HITECH, Medical Privacy

Health and Human Services (HHS) made its first annual report to Congress last week regarding the number and nature of breaches reported to the Office of Civil Rights (OCR) since the effective date of HITECH as is required by the HITECH Act. HHS also submitted information as to the actions taken by the reporting entities … Continue Reading

HHS to Propose New Privacy Standards for Human Research Subjects

By Lynn Sessions on July 27, 2011 Posted in HIPAA/HITECH, Mobile Privacy

The Department of Health and Human Services (HHS) provided an Advanced Notice of Proposed Rule Making (ANPRN) on July 22, 2011, to enhance protections for medical research subjects, including standards around privacy and data security. The ANPRN seeks comments on how better to protect human research subjects while facilitating valuable research. The current Common Rule … Continue Reading

Proposed Rule Would Change HIPAA Accounting of Disclosures – Covered Entities Will Continue to Face Significant Technical Challenges

By John Mulhollan on June 13, 2011 Posted in HIPAA/HITECH, Medical Privacy

On May 31, 2011, the U.S. Department of Health and Human Services (HHS) published a proposed rule adopting sweeping changes to the “accounting of disclosures” requirement under 45 C.F.R. § 164.528 that likely are to have a significant impact on the health information technology (HIT) systems being implemented by many healthcare providers, health plans (including … Continue Reading

HHS Inspector General Reports Highlight IT Security Gaps in Health Care

By John Mulhollan on May 26, 2011 Posted in HIPAA/HITECH, Medical Privacy

On May 16, the Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) issued two reports critical of the government’s efforts to build and enforce a federal information security framework for protecting individuals’ electronic protected health information (ePHI). Of particular interest to health care providers and health plans, these reports … Continue Reading

HIPAA Bombshells — Major Civil Monetary Penalties Imposed Against Covered Entities for Privacy Violations

By John Mulhollan on March 2, 2011 Posted in Enforcement, HIPAA/HITECH, Medical Privacy

The last week of February 2011 will likely be remembered as a noteworthy milestone in the history of HIPAA privacy enforcement by the Department of Health and Human Services (“HHS”). Showing that HHS intends to vigorously exercise the expanded civil monetary penalty enforcement provisions enacted in 2009 under the Health Information Technology for Economic and … Continue Reading

Noteworthy Data Privacy and Information Security Events in 2010

By Craig A. Hoffman on December 31, 2010 Posted in Behavioral Advertising, Breach Notification, Data Breach Notification Laws, Enforcement, Federal Legislation, Financial Privacy, HIPAA/HITECH, Information Security, Medical Privacy, Online Privacy

The two events that drew the most attention in 2010, both of which occurred at year-end, were reports from the FTC and the Department of Commerce. Below is a brief summary of those two reports and other issues drawing attention in the past year: (1) FTC Issues Long-Awaited Consumer Privacy Policy Report On December 1, … Continue Reading

HHS Withdraws Draft Of Final HIPAA Breach Nofitifcation Rule

By John Mulhollan on September 2, 2010 Posted in Federal Legislation, HIPAA/HITECH, Medical Privacy

On July 28, 2010, the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) announced that it withdrew the draft of the final rule for HIPAA breach notification that it had submitted in May to the Office of Management and Budget (OMB) for review. The possible reasons for such withdrawal will be discussed below, but covered entities should note that the obligation to report breaches of unsecured protected health information (PHI), which took effect on September 23, 2009, following the publication of an Interim Final Rule promulgated under the Health Information Technology for Economic and Clinical Health Act (HITECH Act), remains in effect. All covered entities, and their business associates, should have in place and/or adhere to an effective Breach Notification Policy containing appropriate procedures to investigate, report and mitigate breaches of privacy or security of PHI.… Continue Reading